The language of cyber security is deeply important to properly discuss your results and concerns. However, these technical terms can be confusing or arcane to people who are not familiar with cyber security. To help provide useful explanations of these terms, here is a brief overview of the difference between a vulnerability assessment and a penetration test.
Vulnerability Assessments
A vulnerability assessment is designed to show where the weaknesses of a system lie. Typically you only make a vulnerability assessment if you know that you have issues and need to identify where – and how large – these vulnerabilities lay.
When performing a vulnerability assessment, the end goal should be to have a list of discovered vulnerabilities and a plan for which ones to approach first.
Penetration Tests
Penetration tests, on the other hand, are focused on specific goals that potential threats may have. Say you have a database of client’s personal information. Gaining access to this database could be a major goal for hackers, so a penetration test involving this goal would simulate an attempt to access it.
The end result of a penetration test is a report on if and how security was breached, alongside a suggested solution.
The major difference between the two is that a penetration test has a specific goal or target in mind, and ends when that goal is reached. Whereas a vulnerability assessment is intended to be much more comprehensive.
A Real-World Example
Imagine you are a bank-owner. Penetration test might involve gaining access to the vault, which likely requires the tester to assess major vulnerabilities, but could also just involve finding the first one that works. A penetration test also would not describe vulnerabilities relating to goals outside the vault.
If you were to ask for a vulnerability assessment, you would expect a prioritized list of vulnerabilities. These vulnerabilities would likely include any vulnerabilities a penetration test would find. However, a vulnerability test would also find access to goals you may not think of – employee information instead of vault access, for example.
As IT professionals, the biggest issue we will come across is client’s not understanding the importance or technical details of our work. And while we cannot provide them an in-depth explanation of everything, being able to simplify complex ideas into simple ones is critical. And when providing these tests and assessments, we need to be clear about what our deliverables are.